Business and Enterprise Solutions

In Cision Block plugin for WordPress versions up to and including 4.3.0 a medium severity vulnerability CVE-2025-3782 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Cision Block plugin to versions 4.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3782.

In AHAthat plugin for WordPress versions up to and including 1.6 a medium severity vulnerability CVE-2025-4337 was detected. This vulnerability allows unauthenticated attackers to delete AHA pages via a forged request by exploiting missing or incorrect nonce validation in the aha_plugin_page() function, provided they can trick a site administrator into performing an action such as clicking a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4337.

In Envolve Plugin versions up to and including 1.0 a medium severity vulnerability CVE-2024-11615 was detected. This vulnerability allows unauthenticated attackers to delete language files via the `zetra_deleteLanguageFile` and `zetra_deleteFontsFile` functions due to insufficient validation of file paths. To address this issue, users should upgrade Envolve plugin to versions 1.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11615.

In SurveyJS plugin for WordPress versions up to and including 1.12.32 a medium severity vulnerability CVE-2025-3815 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `id` parameter due to insufficient input sanitization and output escaping, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade SurveyJS plugin to versions 1.12.33 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3815.

In WPML plugin for WordPress versions 3.6.0 to 4.7.3 a medium severity vulnerability CVE-2025-3488 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `wpml_language_switcher` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade WPML plugin to versions 4.7.4. or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3488.

In Formality plugin for WordPress versions up to and including 1.5.8 a medium severity vulnerability CVE-2025-3858 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘align’ parameter, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Formality plugin to versions 1.5.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3858.

In Music Player for Elementor plugin for WordPress versions up to and including 2.4.6 a medium severity vulnerability CVE-2025-5340 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts via the album_buy_url parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user visits the affected page. To address this issue, users should upgrade Music Player for Elementor plugin to versions 2.4.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5340.

In Buddyboss Platform plugin for WordPress versions 2.8.50 and prior a medium severity vulnerability CVE-2024-13860 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via the `bbp_topic_title` parameter, leading to Stored Cross-Site Scripting (XSS) on affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13860.

In SureForms plugin for WordPress versions prior to 1.4.4 a medium severity vulnerability CVE-2025-3471 was detected. This vulnerability allows attackers with Contributor-level access or higher to update plugin settings via the REST API due to a missing authorization check. To address this issue, users should upgrade SureForms plugin to versions 1.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3471.